I've tried twice to reply to your first response. I am not sure why it is not posting. I am going to try again.
>First. LDAP (authentication) is only 1/2 of the big picture. You will >still need configure authorization on the repo's themselves. I have done this already. I have a separate configuration file for each repository. That looks like this: <Location /RepositoryName> dav svn SVNPath /disk01/home/RepositoryName AuthType Basic AuthBasicProvider ldap-FCGNET ldap-VIET AuthzLDAPAuthoritative off AuthName "CSC Subversion Repository" Require valid-user Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com Require ldap-user pmoss </Location> I have defined the LDAP Aliases in the very first repository configuration file; as such: <AuthnProviderAlias ldap ldap-FCGNET> AuthLDAPBindDN FCGNET\svnuser AuthLDAPBindPassword xxxxxxxxx AuthLDAPURL ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person) </AuthnProviderAlias> <AuthnProviderAlias ldap ldap-VIET> AuthLDAPBindDN "CN=fcgvuser,OU=Service Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com" AuthLDAPBindPassword xxxxxxxxxxx AuthLDAPURL ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person) </AuthnProviderAlias> >Second, Its hard to help troubleshoot when you don't provide useful >information or a direct question. Was there something you needed help >with? I didnt see any questions other than "Can someone lend a hand in >figuring out what I have done wrong, or need to do?" I think that I have 2 separate issues: 1. I need to lock down access so that only the users in the associated AD group have access to the repository. 2. I need to be able to allow just my user account access to the repositories, without having to be added to all of the AD groups. Right now; All, valid, users can access all repositories, whether they are a member of the Active Directory group or not. When I remove the "Require valid-user" line then no one, including the members of the Active Directory group, can access the repository. PATI MOSS System Engineer Sr. Professional CSC From: opensrcguru <opensrcg...@gmail.com> To: users@subversion.apache.org Date: 11/09/2010 02:12 PM Subject: Re: locking down access to a repository On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss <pmo...@csc.com> wrote: I appreciate all of the help that I am receiving. I have still not been successful in resolving this. I removed the line: Require valid-user I have tried using: ?samAccountName?sub?(objectClass=*) Instead of: ?samAccountName?sub?(objectCategory=person) That is the only difference I see in my config files and the examples in the google hits. Yet I am still not successful in accessing the repository. I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory because I am really confused as to how to proceed. PATI MOSS System Engineer Sr. Professional CSC From: kmra...@rockwellcollins.com To: Patricia A Moss/USA/c...@csc Cc: users@subversion.apache.org Date: 11/09/2010 11:13 AM Subject: Re: locking down access to a repository Patricia A Moss <pmo...@csc.com> wrote on 11/09/2010 09:41:42 AM: > From: Patricia A Moss <pmo...@csc.com> > To: kmra...@rockwellcollins.com > Cc: users@subversion.apache.org > Date: 11/09/2010 09:41 AM > Subject: Re: locking down access to a repository > > > >I don't think you want the "Require valid-user" line, since by > default it uses > >ANY of the Require lines as matches. (And in your case valid-user > matches all > >users so it doesn't care you are also specifying a group and an user.) > > But if I remove that line then no one can access the repository. I think you also may need to be less specific with your ldapurl (remove the objectclass or use * ??): (Assuming active directory, this is like what I have used in the past) AuthLDAPURL "ldap:// ad.example.com/ou=group,dc=example,dc=com?sAMAccountName" AuthLDAPGroupAttribute member Require ldap-group ... It has been quite awhile since I used ldap groups instead of authz files... This first google hit has some examples: http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication As does this one: http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36 Kevin R. Although this is probably better suited for the apache/mod_ldap list, I'll attempt to help. do your domain controllers support unencrypted binds (very dangerous)? can you supply any apache/AD debug logs? can you supply versions of apache/mod_ldap? can you describe anything that is knows to be working? ...this should be pretty straight forward to troubleshoot if you give us some useful information to work with. I speak without a full understanding of the lists user base, but I bet none of them can or ever will be able to read the minds of the end user with a problem (let alone know how their systems are configured). If there is such a wonderful beasty, I'd be mighty interested in meeting them. /OSG